Fury as Google threatens to expose others’ security flaws
WASHINGTON: Google has given fellow tech companies an ultimatum: patch your software vulnerabilities within 90 days or we’ll make them public.
AneliteteamofGooglehackers and programmers scrub their ownandcompetitors’softwarefor security flaws, giving companies a deadline to issue a fix.
Google says it wants software makers to move fast because cybercriminalsactwithlightning speed when they spot bugs.
“I’m not sure who made Google the official referee of the marketplace for vulnerability notification,” said John Dickson, aprincipalwithsoftwaresecurity company Denim Group in San Antonio.
He said pressuring companies to fix flaws is a good idea, but “what noble motives they had in mind could be called into question given the fact that they essentially outed vulnerabilities for two of their biggest rivals.”
Google established the team in July, calling it Project Zero after the much-feared “zero day” security flaws and insisted it is trying to help everyone as well as protect its own products that run on others’ devices and software.
That’sanactivitysomesecurity experts say is more appropriate for a government agency. The respectiverolesoftheprivateand public sectors is on the agenda at a cybersecurity summit Friday in Palo Alto, California, where President Barack Obama will call on technology leaders to improve cooperation and share more information.
Some researchers are wondering aloud, however, how much cooperation can be expected if the biggest Internet companies can’t play nice together.
“Wesupportavarietyofefforts, including Project Zero and our Security Reward Programmes, to find and fix online threats,” Aaron Stein, spokesman for the Mountain View, California- based Google said in an email.
Apple declined to comment while Microsoft would only refer to a previous statement in which it said Google’s tactics felt like a game of “gotcha,” illustrating how divisive the issue is.
“Ifthesecompaniescan’tevenget along, that’s just bad for security forthewholeecosystem,”saidJake Kouns, chief information security officer for Risk Based Security Inc in Richmond, Virginia.
Opponents of Google’s practice say it puts online security at risk by revealing gaps before they can be plugged.
“The decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result,” wrote Chris Betz, senior director of Microsoft’s Security Response Centre.
“What’s right for Google is not always right for customers.” — WP-Bloomberg
I’m not sure who made Google the official referee of the marketplace for vulnerability notification.